Try   HackMD

Assembly analysis for override pt 2

level08

objdump -M intel -d level08
objdump -s -j .rodata level08

main

4009f0:       55                      push   rbp
4009f1:       48 89 e5                mov    rbp,rsp
4009f4:       48 81 ec b0 00 00 00    sub    rsp,0xb0
4009fb:       89 bd 6c ff ff ff       mov    DWORD PTR [rbp-0x94],edi
400a01:       48 89 b5 60 ff ff ff    mov    QWORD PTR [rbp-0xa0],rsi
400a08:       64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28
400a11:       48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax
400a15:       31 c0                   xor    eax,eax

Sets up stack frame and allocates 176 bytes for the stack. Store the initial value of edi argc? in [rbp-0x94] aka argc_stack and rsi argv? in [rbp-0xa0] aka argv_stack

store 40 in [rbp-0x8] aka count and clears eax

400a17:       c6 45 8f ff             mov    BYTE PTR [rbp-0x71],0xff
400a1b:       c7 45 88 ff ff ff ff    mov    DWORD PTR [rbp-0x78],0xffffffff
400a22:       83 bd 6c ff ff ff 02    cmp    DWORD PTR [rbp-0x94],0x2
400a29:       74 1f                   je     400a4a <main+0x5a>
400a2b:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400a32:       48 8b 10                mov    rdx,QWORD PTR [rax]
400a35:       b8 57 0d 40 00          mov    eax,0x400d57
400a3a:       48 89 d6                mov    rsi,rdx
400a3d:       48 89 c7                mov    rdi,rax
400a40:       b8 00 00 00 00          mov    eax,0x0
400a45:       e8 e6 fc ff ff          call   400730 <printf@plt>
400a4a:       ba 6b 0d 40 00          mov    edx,0x400d6b
400a4f:       b8 6d 0d 40 00          mov    eax,0x400d6d
400a54:       48 89 d6                mov    rsi,rdx
400a57:       48 89 c7                mov    rdi,rax
400a5a:       e8 61 fd ff ff          call   4007c0 <fopen@plt>
400a5f:       48 89 85 78 ff ff ff    mov    QWORD PTR [rbp-0x88],rax
400a66:       48 83 bd 78 ff ff ff    cmp    QWORD PTR [rbp-0x88],0x0
400a6d:       00
400a6e:       75 21                   jne    400a91 <main+0xa1>
400a70:       b8 7c 0d 40 00          mov    eax,0x400d7c
400a75:       be 6d 0d 40 00          mov    esi,0x400d6d
400a7a:       48 89 c7                mov    rdi,rax
400a7d:       b8 00 00 00 00          mov    eax,0x0
400a82:       e8 a9 fc ff ff          call   400730 <printf@plt>
400a87:       bf 01 00 00 00          mov    edi,0x1
400a8c:       e8 3f fd ff ff          call   4007d0 <exit@plt>

Store 0xff in [rbp-0x71] aka currchar, compare argc with 0x2. If it is equal, dont log usage. If not, load argv_stack[0] and call printf("Usage: %s filename", argv[0]). call fopen("/backups/.log", "w"). Move the return value to [rbp-0x88] aka logfile and compare it with 0. If its not equal, jump to 400a91. else, printf("ERROR: Failed to open %s", "/backups/.log"); and exit(1)

400a91:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400a98:       48 83 c0 08             add    rax,0x8
400a9c:       48 8b 10                mov    rdx,QWORD PTR [rax]
400a9f:       48 8b 85 78 ff ff ff    mov    rax,QWORD PTR [rbp-0x88]
400aa6:       be 96 0d 40 00          mov    esi,0x400d96
400aab:       48 89 c7                mov    rdi,rax
400aae:       e8 11 fe ff ff          call   4008c4 <log_wrapper>
400ab3:       ba a9 0d 40 00          mov    edx,0x400da9
400ab8:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400abf:       48 83 c0 08             add    rax,0x8
400ac3:       48 8b 00                mov    rax,QWORD PTR [rax]
400ac6:       48 89 d6                mov    rsi,rdx
400ac9:       48 89 c7                mov    rdi,rax
400acc:       e8 ef fc ff ff          call   4007c0 <fopen@plt>
400ad1:       48 89 45 80             mov    QWORD PTR [rbp-0x80],rax
400ad5:       48 83 7d 80 00          cmp    QWORD PTR [rbp-0x80],0x0
400ada:       75 2d                   jne    400b09 <main+0x119>
400adc:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400ae3:       48 83 c0 08             add    rax,0x8
400ae7:       48 8b 10                mov    rdx,QWORD PTR [rax]
400aea:       b8 7c 0d 40 00          mov    eax,0x400d7c
400aef:       48 89 d6                mov    rsi,rdx
400af2:       48 89 c7                mov    rdi,rax
400af5:       b8 00 00 00 00          mov    eax,0x0
400afa:       e8 31 fc ff ff          call   400730 <printf@plt>
400aff:       bf 01 00 00 00          mov    edi,0x1
400b04:       e8 c7 fc ff ff          call   4007d0 <exit@plt>

Load argv_stack[1] into rdx, call log_wrapper(logfile, "Starting back up:", argv_stack[1]) and call fopen(argv_stack[1], "r")and save the result at [rbp-0x80] aka inputfilestream . If its not null, jump to 400b09 , if it is, printf("ERROR: Failed to open %s", argv_stack[1]) and `exit(1)

400b09:       ba ab 0d 40 00          mov    edx,0x400dab
400b0e:       48 8d 45 90             lea    rax,[rbp-0x70]
400b12:       48 8b 0a                mov    rcx,QWORD PTR [rdx]
400b15:       48 89 08                mov    QWORD PTR [rax],rcx
400b18:       0f b7 4a 08             movzx  ecx,WORD PTR [rdx+0x8]
400b1c:       66 89 48 08             mov    WORD PTR [rax+0x8],cx
400b20:       0f b6 52 0a             movzx  edx,BYTE PTR [rdx+0xa]
400b24:       88 50 0a                mov    BYTE PTR [rax+0xa],dl
400b27:       48 8d 45 90             lea    rax,[rbp-0x70]
400b2b:       48 c7 85 58 ff ff ff    mov    QWORD PTR [rbp-0xa8],0xffffffffffffffff
400b32:       ff ff ff ff
400b36:       48 89 c2                mov    rdx,rax
400b39:       b8 00 00 00 00          mov    eax,0x0
400b3e:       48 8b 8d 58 ff ff ff    mov    rcx,QWORD PTR [rbp-0xa8]
400b45:       48 89 d7                mov    rdi,rdx
400b48:       f2 ae                   repnz scas al,BYTE PTR es:[rdi]
400b4a:       48 89 c8                mov    rax,rcx
400b4d:       48 f7 d0                not    rax
400b50:       48 8d 50 ff             lea    rdx,[rax-0x1]
400b54:       b8 63 00 00 00          mov    eax,0x63
400b59:       48 89 c1                mov    rcx,rax
400b5c:       48 29 d1                sub    rcx,rdx
400b5f:       48 89 ca                mov    rdx,rcx
400b62:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400b69:       48 83 c0 08             add    rax,0x8
400b6d:       48 8b 00                mov    rax,QWORD PTR [rax]
400b70:       48 89 c1                mov    rcx,rax
400b73:       48 8d 45 90             lea    rax,[rbp-0x70]
400b77:       48 89 ce                mov    rsi,rcx
400b7a:       48 89 c7                mov    rdi,rax
400b7d:       e8 ce fb ff ff          call   400750 <strncat@plt>

Load "./backups/" into [rbp-0x70] aka prefix, load a buffer at [rbp-0xa8] aka dest set up args and call strcpy(dest, prefix) and strncat(prefix, argv[1], 99 - strlen(prefix) - 1).

400b82:       48 8d 45 90             lea    rax,[rbp-0x70]
400b86:       ba b0 01 00 00          mov    edx,0x1b0
400b8b:       be c1 00 00 00          mov    esi,0xc1
400b90:       48 89 c7                mov    rdi,rax
400b93:       b8 00 00 00 00          mov    eax,0x0
400b98:       e8 13 fc ff ff          call   4007b0 <open@plt>
400b9d:       89 45 88                mov    DWORD PTR [rbp-0x78],eax
400ba0:       83 7d 88 00             cmp    DWORD PTR [rbp-0x78],0x0
400ba4:       79 47                   jns    400bed <main+0x1fd>
400ba6:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400bad:       48 83 c0 08             add    rax,0x8
400bb1:       48 8b 10                mov    rdx,QWORD PTR [rax]
400bb4:       b8 b6 0d 40 00          mov    eax,0x400db6
400bb9:       be ab 0d 40 00          mov    esi,0x400dab
400bbe:       48 89 c7                mov    rdi,rax
400bc1:       b8 00 00 00 00          mov    eax,0x0
400bc6:       e8 65 fb ff ff          call   400730 <printf@plt>
400bcb:       bf 01 00 00 00          mov    edi,0x1
400bd0:       e8 fb fb ff ff          call   4007d0 <exit@plt>

call open(prefix, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP). Saves the fd at [rbp-0x78] aka backupfile and check if greater than 0. If not, printf("ERROR: Failed to open %s%s\n", "./backups/", argv_stack[1]) and exit(1). If it is, jump to 400bed (loop check)

400bd5:       48 8d 4d 8f             lea    rcx,[rbp-0x71]
400bd9:       8b 45 88                mov    eax,DWORD PTR [rbp-0x78]
400bdc:       ba 01 00 00 00          mov    edx,0x1
400be1:       48 89 ce                mov    rsi,rcx
400be4:       89 c7                   mov    edi,eax
400be6:       e8 15 fb ff ff          call   400700 <write@plt>
400beb:       eb 01                   jmp    400bee <main+0x1fe>
400bed:       90                      nop
400bee:       48 8b 45 80             mov    rax,QWORD PTR [rbp-0x80]
400bf2:       48 89 c7                mov    rdi,rax
400bf5:       e8 66 fb ff ff          call   400760 <fgetc@plt>
400bfa:       88 45 8f                mov    BYTE PTR [rbp-0x71],al
400bfd:       0f b6 45 8f             movzx  eax,BYTE PTR [rbp-0x71]
400c01:       3c ff                   cmp    al,0xff
400c03:       75 d0                   jne    400bd5 <main+0x1e5>

Call write(backupfile, currchar, 1) and jump to 400bee. at 400bee, load inputfielstream and call fgets(inputfilestream) and save result to currchar. Compares it with 0xff (EOF). If they are equal, exit the loop.

400c05:       48 8b 85 60 ff ff ff    mov    rax,QWORD PTR [rbp-0xa0]
400c0c:       48 83 c0 08             add    rax,0x8
400c10:       48 8b 10                mov    rdx,QWORD PTR [rax]
400c13:       48 8b 85 78 ff ff ff    mov    rax,QWORD PTR [rbp-0x88]
400c1a:       be d2 0d 40 00          mov    esi,0x400dd2
400c1f:       48 89 c7                mov    rdi,rax
400c22:       e8 9d fc ff ff          call   4008c4 <log_wrapper>
400c27:       48 8b 45 80             mov    rax,QWORD PTR [rbp-0x80]
400c2b:       48 89 c7                mov    rdi,rax
400c2e:       e8 dd fa ff ff          call   400710 <fclose@plt>
400c33:       8b 45 88                mov    eax,DWORD PTR [rbp-0x78]
400c36:       89 c7                   mov    edi,eax
400c38:       e8 33 fb ff ff          call   400770 <close@plt>
400c3d:       b8 00 00 00 00          mov    eax,0x0
400c42:       48 8b 7d f8             mov    rdi,QWORD PTR [rbp-0x8]
400c46:       64 48 33 3c 25 28 00    xor    rdi,QWORD PTR fs:0x28
400c4d:       00 00
400c4f:       74 05                   je     400c56 <main+0x266>
400c51:       e8 ca fa ff ff          call   400720 <__stack_chk_fail@plt>
400c56:       c9                      leave
400c57:       c3                      ret

derefrence argv_stack[1] into rdx and call log_wrapper(logfile, "Finished back up", argv_stack[1]). close fclose(inputfilestream) and close(backupfile) and return.

log_wrapper

4008c4:       55                      push   rbp
4008c5:       48 89 e5                mov    rbp,rsp
4008c8:       48 81 ec 30 01 00 00    sub    rsp,0x130
4008cf:       48 89 bd e8 fe ff ff    mov    QWORD PTR [rbp-0x118],rdi
4008d6:       48 89 b5 e0 fe ff ff    mov    QWORD PTR [rbp-0x120],rsi
4008dd:       48 89 95 d8 fe ff ff    mov    QWORD PTR [rbp-0x128],rdx
4008e4:       64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28
4008eb:       00 00
4008ed:       48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax
4008f1:       31 c0                   xor    eax,eax
4008f3:       48 8b 95 e0 fe ff ff    mov    rdx,QWORD PTR [rbp-0x120]
4008fa:       48 8d 85 f0 fe ff ff    lea    rax,[rbp-0x110]
400901:       48 89 d6                mov    rsi,rdx
400904:       48 89 c7                mov    rdi,rax
400907:       e8 e4 fd ff ff          call   4006f0 <strcpy@plt>

Setus up stack and allocates 304 bytes for the stack. Load arg1 at [rbp-0x118] aka logfile, arg2 at [rbp-0x120] aka string, arg3 at [rbp-0x128] aka inpfile_path. write 40 to [rbp-0x8] aka count. Load a new variable at [rbp-0x110] aka dest, call strcpy(dest, string).

40090c:       48 8b b5 d8 fe ff ff    mov    rsi,QWORD PTR [rbp-0x128]
400913:       48 8d 85 f0 fe ff ff    lea    rax,[rbp-0x110]
40091a:       48 c7 85 d0 fe ff ff    mov    QWORD PTR [rbp-0x130],0xffffffffffffffff
400921:       ff ff ff ff
400925:       48 89 c2                mov    rdx,rax
400928:       b8 00 00 00 00          mov    eax,0x0
40092d:       48 8b 8d d0 fe ff ff    mov    rcx,QWORD PTR [rbp-0x130]
400934:       48 89 d7                mov    rdi,rdx
400937:       f2 ae                   repnz scas al,BYTE PTR es:[rdi]
400939:       48 89 c8                mov    rax,rcx
40093c:       48 f7 d0                not    rax
40093f:       48 8d 50 ff             lea    rdx,[rax-0x1]
400943:       b8 fe 00 00 00          mov    eax,0xfe
400948:       49 89 c0                mov    r8,rax
40094b:       49 29 d0                sub    r8,rdx
40094e:       48 8d 85 f0 fe ff ff    lea    rax,[rbp-0x110]
400955:       48 c7 85 d0 fe ff ff    mov    QWORD PTR [rbp-0x130],0xffffffffffffffff
40095c:       ff ff ff ff
400960:       48 89 c2                mov    rdx,rax
400963:       b8 00 00 00 00          mov    eax,0x0
400968:       48 8b 8d d0 fe ff ff    mov    rcx,QWORD PTR [rbp-0x130]
40096f:       48 89 d7                mov    rdi,rdx
400972:       f2 ae                   repnz scas al,BYTE PTR es:[rdi]
400974:       48 89 c8                mov    rax,rcx
400977:       48 f7 d0                not    rax
40097a:       48 8d 50 ff             lea    rdx,[rax-0x1]
40097e:       48 8d 85 f0 fe ff ff    lea    rax,[rbp-0x110]
400985:       48 01 d0                add    rax,rdx
400988:       48 89 f2                mov    rdx,rsi
40098b:       4c 89 c6                mov    rsi,r8
40098e:       48 89 c7                mov    rdi,rax
400991:       b8 00 00 00 00          mov    eax,0x0
400996:       e8 a5 fd ff ff          call   400740 <snprintf@plt>
40099b:       48 8d 85 f0 fe ff ff    lea    rax,[rbp-0x110]
4009a2:       be 4c 0d 40 00          mov    esi,0x400d4c
4009a7:       48 89 c7                mov    rdi,rax
4009aa:       e8 d1 fd ff ff          call   400780 <strcspn@plt>
4009af:       c6 84 05 f0 fe ff ff    mov    BYTE PTR [rbp+rax*1-0x110],0x0

Prepare arguments to call snprintf(dest + strlen(dest), 254 - strlen(dest) - 1, inpfile_path) and then calls dest[strcspn(dest, "/n")] = 0

4009b7:       b9 4e 0d 40 00          mov    ecx,0x400d4e
4009bc:       48 8d 95 f0 fe ff ff    lea    rdx,[rbp-0x110]
4009c3:       48 8b 85 e8 fe ff ff    mov    rax,QWORD PTR [rbp-0x118]
4009ca:       48 89 ce                mov    rsi,rcx
4009cd:       48 89 c7                mov    rdi,rax
4009d0:       b8 00 00 00 00          mov    eax,0x0
4009d5:       e8 c6 fd ff ff          call   4007a0 <fprintf@plt>
4009da:       48 8b 45 f8             mov    rax,QWORD PTR [rbp-0x8]
4009de:       64 48 33 04 25 28 00    xor    rax,QWORD PTR fs:0x28
4009e5:       00 00
4009e7:       74 05                   je     4009ee <log_wrapper+0x12a>
4009e9:       e8 32 fd ff ff          call   400720 <__stack_chk_fail@plt>
4009ee:       c9                      leave
4009ef:       c3                      ret

Call fprintf(logfile, "LOG: %s", dest) and returns.

level09

objdump -M intel -d level09
objdump -s -j .rodata level09

main

aa8:	55                   	push   rbp
aa9:	48 89 e5             	mov    rbp,rsp
aac:	48 8d 3d 5d 01 00 00 	lea    rdi,[rip+0x15d]        # c10 <_IO_stdin_used+0x58>
ab3:	e8 78 fc ff ff       	call   730 <puts@plt>
ab8:	e8 03 fe ff ff       	call   8c0 <handle_msg>
abd:	b8 00 00 00 00       	mov    eax,0x0
ac2:	5d                   	pop    rbp
ac3:	c3                   	ret

Load a string and calls

    puts("--------------------------------------------\n|   ~Welcome to l33t-m$n ~    v1337        |\n--------------------------------------------");

calls handle_msg() and returns 0;

handle_msg

8c0:	55                   	push   rbp
8c1:	48 89 e5             	mov    rbp,rsp
8c4:	48 81 ec c0 00 00 00 	sub    rsp,0xc0
8cb:	48 8d 85 40 ff ff ff 	lea    rax,[rbp-0xc0]
8d2:	48 05 8c 00 00 00    	add    rax,0x8c
8d8:	48 c7 00 00 00 00 00 	mov    QWORD PTR [rax],0x0
8df:	48 c7 40 08 00 00 00 	mov    QWORD PTR [rax+0x8],0x0
8e6:	00 
8e7:	48 c7 40 10 00 00 00 	mov    QWORD PTR [rax+0x10],0x0
8ee:	00 
8ef:	48 c7 40 18 00 00 00 	mov    QWORD PTR [rax+0x18],0x0
8f6:	00 
8f7:	48 c7 40 20 00 00 00 	mov    QWORD PTR [rax+0x20],0x0
8fe:	00 
8ff:	c7 45 f4 8c 00 00 00 	mov    DWORD PTR [rbp-0xc],0x8c

Sets up stack and allocates 192 bytes on the stack. Loads a variable at [rbp-0xc0] aka var1, increments the pointer to [rbp-0x34] (c0 - 8c), sets [rbp-0x34], [rbp-0x34+0x8], [rbp-0x34+0x10], [rbp-0x34+0x20] to 0, and writes 140 to [rbp-0xc] aka num. Since this is a 64 bit program, a word is 8 bytes so we can assume that [rbp-0x34] to [rbp-0xc] are contigious zeroes memset([rbp-0x34], 0, 40).

Since the assembly only loaded one address from memory and assigns values relatively, we can also say that they are loading a struct like so

struct my_struct {
    char    msg[0x8c];
	char    username[0x28];
	int    msglen;
};

906:	48 8d 85 40 ff ff ff 	lea    rax,[rbp-0xc0]
90d:	48 89 c7             	mov    rdi,rax
910:	e8 b8 00 00 00       	call   9cd <set_username>
915:	48 8d 85 40 ff ff ff 	lea    rax,[rbp-0xc0]
91c:	48 89 c7             	mov    rdi,rax
91f:	e8 0e 00 00 00       	call   932 <set_msg>
924:	48 8d 3d 95 02 00 00 	lea    rdi,[rip+0x295]        # bc0 <_IO_stdin_used+0x8>
92b:	e8 00 fe ff ff       	call   730 <puts@plt>
930:	c9                   	leave  
931:	c3                   	ret

calls set_username(&var1) and set_msg(&var1) and call puts(">: Msg sent!")

set_username

9cd:	55                   	push   rbp
9ce:	48 89 e5             	mov    rbp,rsp
9d1:	48 81 ec a0 00 00 00 	sub    rsp,0xa0
9d8:	48 89 bd 68 ff ff ff 	mov    QWORD PTR [rbp-0x98],rdi
9df:	48 8d 85 70 ff ff ff 	lea    rax,[rbp-0x90]
9e6:	48 89 c6             	mov    rsi,rax
9e9:	b8 00 00 00 00       	mov    eax,0x0
9ee:	ba 10 00 00 00       	mov    edx,0x10
9f3:	48 89 f7             	mov    rdi,rsi
9f6:	48 89 d1             	mov    rcx,rdx
9f9:	f3 48 ab             	rep stos QWORD PTR es:[rdi],rax
9fc:	48 8d 3d e1 01 00 00 	lea    rdi,[rip+0x1e1]        # be4 <_IO_stdin_used+0x2c>
a03:	e8 28 fd ff ff       	call   730 <puts@plt>
a08:	48 8d 05 d0 01 00 00 	lea    rax,[rip+0x1d0]        # bdf <_IO_stdin_used+0x27>
a0f:	48 89 c7             	mov    rdi,rax
a12:	b8 00 00 00 00       	mov    eax,0x0
a17:	e8 34 fd ff ff       	call   750 <printf@plt>

Allocates 160 bytes on the stack, loads argument1 &var1 at [rbp-0x98] and loads variable [rbp-0x90] aka temp. call memset(temp, 0, 16) and call

puts(">: Enter your username");
printf(">>: ");

a1c:	48 8b 05 95 15 20 00 	mov    rax,QWORD PTR [rip+0x201595]        # 201fb8 <_DYNAMIC+0x198>
a23:	48 8b 00             	mov    rax,QWORD PTR [rax]
a26:	48 89 c2             	mov    rdx,rax
a29:	48 8d 85 70 ff ff ff 	lea    rax,[rbp-0x90]
a30:	be 80 00 00 00       	mov    esi,0x80
a35:	48 89 c7             	mov    rdi,rax
a38:	e8 33 fd ff ff       	call   770 <fgets@plt>
a3d:	c7 45 fc 00 00 00 00 	mov    DWORD PTR [rbp-0x4],0x0
a44:	eb 24                	jmp    a6a <set_username+0x9d>
a46:	8b 45 fc             	mov    eax,DWORD PTR [rbp-0x4]
a49:	48 98                	cdqe   
a4b:	0f b6 8c 05 70 ff ff 	movzx  ecx,BYTE PTR [rbp+rax*1-0x90]
a52:	ff 
a53:	48 8b 95 68 ff ff ff 	mov    rdx,QWORD PTR [rbp-0x98]
a5a:	8b 45 fc             	mov    eax,DWORD PTR [rbp-0x4]
a5d:	48 98                	cdqe   
a5f:	88 8c 02 8c 00 00 00 	mov    BYTE PTR [rdx+rax*1+0x8c],cl
a66:	83 45 fc 01          	add    DWORD PTR [rbp-0x4],0x1
a6a:	83 7d fc 28          	cmp    DWORD PTR [rbp-0x4],0x28
a6e:	7f 11                	jg     a81 <set_username+0xb4>
a70:	8b 45 fc             	mov    eax,DWORD PTR [rbp-0x4]
a73:	48 98                	cdqe   
a75:	0f b6 84 05 70 ff ff 	movzx  eax,BYTE PTR [rbp+rax*1-0x90]
a7c:	ff 
a7d:	84 c0                	test   al,al
a7f:	75 c5                	jne    a46 <set_username+0x79>
a81:	48 8b 85 68 ff ff ff 	mov    rax,QWORD PTR [rbp-0x98]
a88:	48 8d 90 8c 00 00 00 	lea    rdx,[rax+0x8c]
a8f:	48 8d 05 65 01 00 00 	lea    rax,[rip+0x165]        # bfb <_IO_stdin_used+0x43>
a96:	48 89 d6             	mov    rsi,rdx
a99:	48 89 c7             	mov    rdi,rax
a9c:	b8 00 00 00 00       	mov    eax,0x0
aa1:	e8 aa fc ff ff       	call   750 <printf@plt>
aa6:	c9                   	leave

Call fgets(temp, 120, stdin), store 0 at a variable at [rbp-0x4] aka count and jump to a6a (loop check)

In a6a, count is compared to 40. If its greater than 40, or temp[count] is not 0, the loop exits.

In the loop at a44, do var1->username[count] = temp[count] and ++count

Once the loop exits at a81, call printf(">: Welcome, %s", var1->username) and return.

set_msg

932:	55                   	push   rbp
933:	48 89 e5             	mov    rbp,rsp
936:	48 81 ec 10 04 00 00 	sub    rsp,0x410
93d:	48 89 bd f8 fb ff ff 	mov    QWORD PTR [rbp-0x408],rdi
944:	48 8d 85 00 fc ff ff 	lea    rax,[rbp-0x400]
94b:	48 89 c6             	mov    rsi,rax
94e:	b8 00 00 00 00       	mov    eax,0x0
953:	ba 80 00 00 00       	mov    edx,0x80
958:	48 89 f7             	mov    rdi,rsi
95b:	48 89 d1             	mov    rcx,rdx
95e:	f3 48 ab             	rep stos QWORD PTR es:[rdi],rax
961:	48 8d 3d 65 02 00 00 	lea    rdi,[rip+0x265]        # bcd <_IO_stdin_used+0x15>
968:	e8 c3 fd ff ff       	call   730 <puts@plt>
96d:	48 8d 05 6b 02 00 00 	lea    rax,[rip+0x26b]        # bdf <_IO_stdin_used+0x27>
974:	48 89 c7             	mov    rdi,rax
977:	b8 00 00 00 00       	mov    eax,0x0
97c:	e8 cf fd ff ff       	call   750 <printf@plt>
981:	48 8b 05 30 16 20 00 	mov    rax,QWORD PTR [rip+0x201630]        # 201fb8 <_DYNAMIC+0x198>
988:	48 8b 00             	mov    rax,QWORD PTR [rax]
98b:	48 89 c2             	mov    rdx,rax
98e:	48 8d 85 00 fc ff ff 	lea    rax,[rbp-0x400]
995:	be 00 04 00 00       	mov    esi,0x400
99a:	48 89 c7             	mov    rdi,rax
99d:	e8 ce fd ff ff       	call   770 <fgets@plt>
9a2:	48 8b 85 f8 fb ff ff 	mov    rax,QWORD PTR [rbp-0x408]
9a9:	8b 80 b4 00 00 00    	mov    eax,DWORD PTR [rax+0xb4]
9af:	48 63 d0             	movsxd rdx,eax
9b2:	48 8d 8d 00 fc ff ff 	lea    rcx,[rbp-0x400]
9b9:	48 8b 85 f8 fb ff ff 	mov    rax,QWORD PTR [rbp-0x408]
9c0:	48 89 ce             	mov    rsi,rcx
9c3:	48 89 c7             	mov    rdi,rax
9c6:	e8 55 fd ff ff       	call   720 <strncpy@plt>
9cb:	c9                   	leave  
9cc:	c3                   	ret

Allocate 1040 bytes to the stack, loads argument1 &var1 at [rbp-0x408] and loads variable at [rbp-0x400] aka *temp. Call memset(temp, 0, 128) then puts(">: Msg @Unix-Dude") and printf(">>: ").

Call fgets(temp, 1024, stdin) and strncpy(var1->message, temp, var1->msglen) and return.

secret_backdoor

88c:	55                   	push   rbp
88d:	48 89 e5             	mov    rbp,rsp
890:	48 83 c4 80          	add    rsp,0xffffffffffffff80
894:	48 8b 05 1d 17 20 00 	mov    rax,QWORD PTR [rip+0x20171d]        # 201fb8 <_DYNAMIC+0x198>
89b:	48 8b 00             	mov    rax,QWORD PTR [rax]
89e:	48 89 c2             	mov    rdx,rax
8a1:	48 8d 45 80          	lea    rax,[rbp-0x80]
8a5:	be 80 00 00 00       	mov    esi,0x80
8aa:	48 89 c7             	mov    rdi,rax
8ad:	e8 be fe ff ff       	call   770 <fgets@plt>
8b2:	48 8d 45 80          	lea    rax,[rbp-0x80]
8b6:	48 89 c7             	mov    rdi,rax
8b9:	e8 82 fe ff ff       	call   740 <system@plt>
8be:	c9                   	leave  
8bf:	c3                   	ret

Loads a variable at [rbp-0x80] aka cmd and calls fgets(cmd, 128, stdin) and then system(cmd)

notes

7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC

b *0x8048866
set disassembly-flavor intel
lay asm
focus cmd
tty /dev/pts/1
run < /tmp/level05
x/10s (char*)(*environ)
 x/10x 0x080497e0
Last changed by 
Jun Han Ng
0
239

Read more

/dev/log/ for BADASS

This note is yours, feel free to play around. Type on the left and see the rendered result on the right.

Oct 16, 2024
/dev/log for total_perspective_vortex

This project is about creating a full machine learning pipeline that trains and predicts brain activity using EEG data.

Jul 26, 2024
/dev/log for rainfall

Setup I set up a VM with the ISO as a masOs 64 bit OS and I got this interface: image level0 Upon entering, I see this getting printed out : To start, ssh with level0/level0 on 192.168.100.82:4242 level0@192.168.100.82&apos;s password:

Jul 5, 2024
/dev/log for multilayer_perceptron

The multilayer perceptron is a direct model of a human brain where it learns to associate specific inputs to specific outputs.

Jun 23, 2024
Read more from Jun Han Ng
Published on HackMD